CVE-2024-29180 in webpack-dev-middleware
Summary
by MITRE • 03/21/2024
Prior to versions 7.1.0, 6.1.2, and 5.3.4, the webpack-dev-middleware development middleware for devpack does not validate the supplied URL address sufficiently before returning the local file. It is possible to access any file on the developer's machine. The middleware can either work with the physical filesystem when reading the files or it can use a virtualized in-memory `memfs` filesystem. If `writeToDisk` configuration option is set to `true`, the physical filesystem is used. The `getFilenameFromUrl` method is used to parse URL and build the local file path. The public path prefix is stripped from the URL, and the `unsecaped` path suffix is appended to the `outputPath`. As the URL is not unescaped and normalized automatically before calling the midlleware, it is possible to use `%2e` and `%2f` sequences to perform path traversal attack.
Developers using `webpack-dev-server` or `webpack-dev-middleware` are affected by the issue. When the project is started, an attacker might access any file on the developer's machine and exfiltrate the content. If the development server is listening on a public IP address (or `0.0.0.0`), an attacker on the local network can access the local files without any interaction from the victim (direct connection to the port). If the server allows access from third-party domains, an attacker can send a malicious link to the victim. When visited, the client side script can connect to the local server and exfiltrate the local files. Starting with fixed versions 7.1.0, 6.1.2, and 5.3.4, the URL is unescaped and normalized before any further processing.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 12/15/2025
The vulnerability described in CVE-2024-29180 represents a critical path traversal flaw in webpack-dev-middleware, a widely used development middleware for webpack projects. This issue affects versions prior to 7.1.0, 6.1.2, and 5.3.4, creating a significant security risk for developers who rely on this middleware for their local development environments. The vulnerability stems from insufficient URL validation mechanisms within the middleware's file access handling process, specifically in how it processes URL paths to determine file locations. The middleware operates in two primary modes, either using the physical filesystem or a virtualized in-memory memfs filesystem, with the physical filesystem mode being particularly dangerous when the writeToDisk configuration option is enabled. The core technical flaw occurs in the getFilenameFromUrl method which processes URL paths without proper normalization and unescaping, allowing maliciously crafted URLs to bypass intended security boundaries.
The operational impact of this vulnerability extends beyond typical development environments, creating a direct threat to developer machine security. Attackers can exploit this weakness to access any file on the developer's local machine, potentially exposing sensitive information such as source code, configuration files, API keys, and other confidential data stored locally. The vulnerability is particularly concerning because it can be exploited remotely when development servers are configured to listen on public IP addresses or when the server accepts cross-origin requests from external domains. The attack vector utilizes encoded path traversal sequences like %2e and %2f which represent dot and forward slash characters in URL encoding, allowing attackers to manipulate file paths and navigate outside the intended directory structure. This type of attack directly aligns with CWE-22 Path Traversal vulnerabilities and can be categorized under ATT&CK technique T1059 Command and Scripting Interpreter, where attackers leverage development tools to execute malicious operations.
The exploitation scenario becomes particularly dangerous when considering that many development environments are configured to be accessible from local networks or even the internet without proper security controls. Attackers can either connect directly to the development server port if it listens on 0.0.0.0, or they can craft malicious links that, when visited by a victim, automatically attempt to access local files through the victim's browser. This approach leverages the browser's ability to make requests to local servers, effectively turning the victim's browser into an attack vector. The vulnerability affects developers using webpack-dev-server or webpack-dev-middleware, which are integral components in modern web application development workflows, making the impact widespread across development teams. The fix implemented in versions 7.1.0, 6.1.2, and 5.3.4 addresses the root cause by ensuring that URLs are properly unescaped and normalized before any file access operations are performed, thereby preventing malicious path manipulation attempts. This remediation aligns with industry best practices for input validation and secure coding standards, effectively closing the attack surface that previously allowed arbitrary file access through path traversal techniques.